CVE-2020-11803
published 2020-09-17CVE-2020-11803: An issue was discovered in Titan SpamTitan 7.07. Improper sanitization of the parameter jaction when interacting with the page mailqueue.php could lead to PHP…
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
7.55%
93.8th percentile
An issue was discovered in Titan SpamTitan 7.07. Improper sanitization of the parameter jaction when interacting with the page mailqueue.php could lead to PHP code evaluation server-side, because the user-provided input is passed directly to the php eval() function. The user has to be authenticated on the web platform before interacting with the page.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| juniper | junos_os | — | — |
| titanhq | spamtitan | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to mailqueue.php where the 'jaction' parameter contains PHP code constructs such as shell_exec, base64_decode, or eval-injectable payloads (e.g., semicolons, dollar-sign variable assignments, or die() calls). ↗
- →Alert on POST requests to mailqueue.php with a jaction parameter value matching the pattern: gotopage+a+";$b=...;shell_exec(base64_decode(urldecode(...)));die(); ↗
- →Detect outbound wget requests from the SpamTitan host to external URLs followed by execution of a downloaded Python script at /tmp/r.py, which is indicative of reverse shell staging. ↗
- →Monitor for CSRF token extraction patterns in HTTP responses from certs.php (regex: 'var csrf_token_postdata =.*CSRFName=(.*)&CSRFToken=(.*)') followed immediately by a POST to mailqueue.php or certs-x.php — this sequence is characteristic of the exploit chain. ↗
- →Flag inbound connections to port 4242 from the SpamTitan server IP, as the PoC exploit defaults to this port for the reverse shell listener. ↗
- ·Exploitation requires prior authentication to the SpamTitan web platform; unauthenticated access alone is insufficient to trigger the eval() injection via jaction. ↗
- ·The vulnerability likely affects versions prior to 7.07 as well, so detection and patching scope should not be limited to exactly version 7.07. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hfpp-6hrw-77h9: An issue was discovered in Titan SpamTitan 7
ghsa_unreviewed·2022-05-24
CVE-2020-11803 [HIGH] CWE-20 GHSA-hfpp-6hrw-77h9: An issue was discovered in Titan SpamTitan 7
An issue was discovered in Titan SpamTitan 7.07. Improper sanitization of the parameter jaction when interacting with the page mailqueue.php could lead to PHP code evaluation server-side, because the user-provided input is passed directly to the php eval() function. The user has to be authenticated on the web platform before interacting with the page.
Juniper
CVE-2020-1668: On Juniper Networks EX2300 Series, receipt of a stream of specific multicast packets by the layer2 interface can cause high CPU load, which could lead
vendor_juniper·2020-10-16·CVSS 6.5
CVE-2020-1668 [MEDIUM] CWE-400 CVE-2020-1668: On Juniper Networks EX2300 Series, receipt of a stream of specific multicast packets by the layer2 interface can cause high CPU load, which could lead
CVE-2020-1668: On Juniper Networks EX2300 Series, receipt of a stream of specific multicast packets by the layer2 interface can cause high CPU load, which could lead to traffic interruption. This issue occurs when multicast packets are received by the layer 2 interface. To check if the device has high CPU load due to this issue, the administrator can issue the following command: user@host> show chassis routing-engine Routing Engine status: ... Idle 2 percent the "Idle" value shows as low (2 % in the example above), and also the following command: user@host> show system processes summary ... PID USERNAME PRI NICE SIZE RES STATE TIME WCPU COMMAND 11639 root 52 0 283M 11296K select 12:15 44.97% eventd 11803 root 81 0 719M 239M RUN 251:12 31.98% fxpc{fxpc} the eventd and the fxpc processes mig
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/159218/SpamTitan-7.07-Remote-Code-Execution.htmlhttps://github.com/felmoltorhttps://sensepost.com/blog/2020/clash-of-the-spamtitan/https://twitter.com/felmoltorhttps://www.spamtitan.com/http://packetstormsecurity.com/files/159218/SpamTitan-7.07-Remote-Code-Execution.htmlhttps://github.com/felmoltorhttps://sensepost.com/blog/2020/clash-of-the-spamtitan/https://twitter.com/felmoltorhttps://www.spamtitan.com/
2020-09-17
Published